23andMe Settles Data Breach Lawsuit for $30 Million
The accord also resolves accusations that 23andMe did not tell customers with Chinese and Ashkenazi Jewish ancestry that the hacker appeared to have specifically targeted them, and posted their information for sale on the dark web.
A preliminary settlement of the proposed class action was filed late Thursday night in federal court in San Francisco, and requires a judge’s approval.
It includes cash payments for customers whose data was compromised, and lets customers enroll for three years in a program known as Privacy & Medical Shield + Genetic Monitoring.
In a Friday court filing, 23andMe called the settlement fair, adequate and reasonable.
Citing its “extremely uncertain financial condition,” 23andMe also asked the judge to halt arbitrations by tens of thousands of class members, until the settlement is approved or they decide not to participate.
In a statement, 23andMe said it believes the settlement is in its customers’ best interest. It also expects about $25 million of the cost to be covered by cyber insurance coverage.
The breach began around April 2023 and lasted about five months, affecting nearly half of the 14.1 million customers in 23andMe’s database at the time. It was disclosed by 23andMe in an October 2023 blog post.
According to the company, the hacker accessed 5.5 million DNA Relatives profiles, which let customers share information with each other, and accessed information for another 1.4 million customers who used a feature called Family Tree.
Lawyers for the plaintiffs said the settlement addressed their clients’ main claims, and reflected significant risks of further litigation given 23andMe’s “dire” finances.
The South San Francisco-based company lost $69.4 million on revenue of $40.4 million in the quarter ending June 30.
Co-founder and Chief Executive Anne Wojcicki has been trying to take 23andMe private, three years after it went public at $10 per share. Its shares have traded below $1 since mid-December.
The plaintiffs’ lawyers may seek legal fees of up to 25% of the settlement amount.
The case is In re 23andMe Inc Customer Data Security Breach Litigation, U.S. District Court, Northern District of California, No. 24-md-03098.
(Reporting by Jonathan Stempel in New York; editing by Jonathan Oatis)